feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC: LoginCommandHandler: - login success → action=login result=success actorUserId=user.Id - login failure disaggregated internally (client still sees 401 unified): user_not_found / user_inactive / invalid_password — attempts captured with attemptedUsername + FailureReason LogoutCommandHandler: - action=logout result=success actorUserId=cmd.UsuarioId RefreshCommandHandler: - refresh.issue success on successful rotation - refresh.reuse_detected failure when revoked token is presented (chain revoke already happens; we add the security event with metadata.familyId) - refresh.issue failure for: token_expired / sub_mismatch / user_not_found / user_inactive PermissionAuthorizationHandler: - permission.denied failure on require-permission rejection, with metadata { permissionRequired, endpoint, method }. ActorUserId from JWT sub. DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure). Test updates: 4 test classes now inject ISecurityEventLogger mock: - LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests - PermissionAuthorizationHandlerTests (Api.Tests) Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing. Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC, design, tasks#B9}
2026-04-16 13:59:27 -03:00
parent a3f01bc6c9
commit b619c05762
8 changed files with 89 additions and 10 deletions
--- a/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
@@ -2,6 +2,7 @@ using Microsoft.Extensions.Logging;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -19,6 +20,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
    private readonly IClientContext _clientContext;
    private readonly AuthOptions _authOptions;
    private readonly IRolPermisoRepository _rolPermisoRepository;
+    private readonly ISecurityEventLogger _security;
    private readonly ILogger<LoginCommandHandler> _logger;

    public LoginCommandHandler(
@@ -30,6 +32,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        IClientContext clientContext,
        AuthOptions authOptions,
        IRolPermisoRepository rolPermisoRepository,
+        ISecurityEventLogger security,
        ILogger<LoginCommandHandler> logger)
    {
        _repository = repository;
@@ -40,6 +43,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        _clientContext = clientContext;
        _authOptions = authOptions;
        _rolPermisoRepository = rolPermisoRepository;
+        _security = security;
        _logger = logger;
    }

@@ -47,12 +51,30 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
    {
        var usuario = await _repository.GetByUsernameAsync(command.Username);

-        // Deliberately vague — never reveal which check failed
-        if (usuario is null || !usuario.Activo)
+        // Deliberately vague to the client — never reveal which check failed.
+        // Internally, SecurityEvent captures the precise FailureReason for ops.
+        if (usuario is null)
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: null, attemptedUsername: command.Username,
+                failureReason: "user_not_found");
            throw new InvalidCredentialsException();
+        }
+        if (!usuario.Activo)
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: usuario.Id, attemptedUsername: command.Username,
+                failureReason: "user_inactive");
+            throw new InvalidCredentialsException();
+        }

        if (!_hasher.Verify(command.Password, usuario.PasswordHash))
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: usuario.Id, attemptedUsername: command.Username,
+                failureReason: "invalid_password");
            throw new InvalidCredentialsException();
+        }

        var accessToken = _jwtService.GenerateAccessToken(usuario);

@@ -83,6 +105,8 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
        var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();

+        await _security.LogAsync("login", "success", actorUserId: usuario.Id);
+
        return new LoginResponseDto(
            AccessToken: accessToken,
            RefreshToken: rawRefresh,      // raw to client — never stored